Position Paper- Mobile Phone Security Scene Setting Charles Brookson CEng FIET FRSA Chairman of the GSM Association Security Group Interest in the Workshop I have been involved in GSM Security since 1985, and chaired the Algorithm Expert Group in 18986. I have been Chairman of the GSMA Security Group for over 20 years. I also have attended all the standardisation groups since then on security, the latest being 3GPP (www.3gpp.org). I also look after security for ETSI (www.etsi.org) as Chairman ETSI OCG Security, ETSI being the the European Standards Organisation responsible to the EU to set standards for telecommunications. The GSMA Security Group (www.gsmworld.com) is part of the GSM Association, The GSMA represents the interests of the worldwide mobile communications industry. Spanning 219 countries, the GSMA unites nearly 800 of the world’s mobile operators, as well as more than 200 companies in the broader mobile ecosystem, including handset makers, software companies, equipment providers, Internet companies, and media and entertainment organisations. The GSMA is focused on innovating, incubating and creating new opportunities for its membership, all with the end goal of driving the growth of the mobile communications industry. We have both a security group and a fraud group: Security Group SG: SG maintains and develops GSMA algorithms and protocols, and has responsibility for maintaining the technical security aspects of network infrastructure and customer apparatus. The group also works closely with the Fraud Forum by examining and recommending infrastructure solutions to combat fraud. The Group consists of technical representatives from Association members who study the security threats to GSM, its interfacing with 3rd Generation and converging technologies, and advises members of possible security issues, or required countermeasures. Fraud Forum FF: In conjunction with the Security Group, the Fraud Forum exchanges best practice globally in relation to fraud and security management for mobile network operators. The main focus of the Fraud Forum is to identify and analyse the various techniques that are used throughout the world to perpetrate fraud against member networks and to recommend practical, cost-effective solutions. As the mobile industry continues to develop, the Fraud Forum analyses potential fraud risks associated with the latest advanced services in addition to combating traditional mobile telecoms fraud. Proposed coverage of input: I propose to cover the input our experiences on the latest security threats to mobile systems, including: - Some of the original design thoughts for security. The requirements for privacy, anonymity, authentication and the compromises made, and subsequent improvements to security made by later designs for 3G and LTE. - The evolution to 3G and LTE, and issues such as femtocells, integrity. - Spam, Malware, Trojans and Smartphone issues as devices became more capable. - Meeting Legislative requirements for Privacy, data retention and lawful interception, export control on dual use goods and stolen mobiles. - Network security and the impact on the system design - The motivation and impact of organised crime, fraud, hackers and academic interest with some examples. - The latest threat scene and how it may evolve. Note that the talk will cover these areas, but I do not intend to commit all the issues to paper. The intention is to inform, stimulate thought, and answer questions!